Hi All , Can some one help me understand why similar query gives me 2 different results for a intrusion detection datamodel . Only difference bw 2 is the order . Query 1: | tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url | eval source="wildfire" | rename IDS_Attacks.url as wildfireurl | rex field=wildfireurl "(?P<domain>[^\/]*)" | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString | search EvidenceDetails =* OR description=* OR RiskString=* | rename "IDS_Attacks.*" as * | append [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete" [| inputlookup ids_malicious_ip_tracker | fields src | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match | where src_match="NONE" OR isnull(src_match) | fields - src_match | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight | lookup ips_tor.csv ip as All_Traffic.src output app as app | search EvidenceDetails =* OR description=* OR app="tor" | where Risk > 69 OR weight > 40 OR app="tor" | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description) | fields - description, EvidenceDetails | eval Attack_Count = mvcount(rf_evidence_details_0) | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12 | rename "All_Traffic.*" as *] | append [| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight | search EvidenceDetails =* OR description=* | where Risk > 69 OR weight > 40 | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description) | fields - description, EvidenceDetails | eval Attack_Count = mvcount(rf_evidence_details_0) | search count > 100 | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12 | rename "All_Traffic.*" as *] Second Query : | tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight | search EvidenceDetails =* OR description=* | where Risk > 69 OR weight > 40 | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description) | fields - description, EvidenceDetails | eval Attack_Count = mvcount(rf_evidence_details_0) | search count > 100 | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12 | rename "All_Traffic.*" as * | append [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete" [| inputlookup ids_malicious_ip_tracker | fields src | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match | where src_match="NONE" OR isnull(src_match) | fields - src_match | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight | lookup ips_tor.csv ip as All_Traffic.src output app as app | search EvidenceDetails =* OR description=* OR app="tor" | where Risk > 69 OR weight > 40 OR app="tor" | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description) | fields - description, EvidenceDetails | eval Attack_Count = mvcount(rf_evidence_details_0) | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12 | rename "All_Traffic.*" as *] | append [| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url | eval source="wildfire" | rename IDS_Attacks.url as wildfireurl | rex field=wildfireurl "(?P<domain>[^\/]*)" | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString | search EvidenceDetails =* OR description=* OR RiskString=* | rename "IDS_Attacks.*" as *] (edited) above query has 3 parts suspicious inbound ,suspicious outbound and suspicious url . While executing the first query i am getting 1 result and while executing 2 query i am getting 6 results for the same time frame
... View more